从ajax jquery安全调用PHP Web服务函数,添加身份验证
问题描述:
jQuery.ajax({
type: "POST",
url: 'your_functions_address.php',
dataType: 'json',
data: {functionname: 'add', arguments: [1, 2]},
success: function (obj, textstatus) {
if( !('error' in obj) ) {
yourVariable = obj.result;
}
else {
console.log(obj.error);
}
}
});
and your_functions_address.php like this:
<?php
header('Content-Type: application/json');
$aResult = array();
if( !isset($_POST['functionname']) ) { $aResult['error'] = 'No function name!'; }
if( !isset($_POST['arguments']) ) { $aResult['error'] = 'No function arguments!'; }
if( !isset($aResult['error']) ) {
switch($_POST['functionname']) {
case 'add':
if( !is_array($_POST['arguments']) || (count($_POST['arguments']) < 2) ) {
$aResult['error'] = 'Error in arguments!';
}
else {
$aResult['result'] = add(floatval($_POST['arguments'][0]), floatval($_POST['arguments'][1]));
}
break;
default:
$aResult['error'] = 'Not found function '.$_POST['functionname'].'!';
break;
}
}
echo json_encode($aResult);
?>
How to avoid that anybody who find the url : 'your_functions_address.php' can call any function on the web service ?
is there a way of adding an authentication or security ?
I am applying SSL security of course but does SSL solve this problem ?
jQuery.ajax({
type:“POST”,
url:'your_functions_address.php',
dataType:'json',
data:{functionname:'add',arguments:[1,2]},
success:function(obj,textstatus){
if(!(obj中的'错误') ){
yourVariable = obj.result;
}
else {
console.log(obj.error);
}
}
});
code> pre> \ n
和your_functions_address.php如下: p>
&lt;?php
header('Content-Type:application / json');
\ n $ aResult = array();
if(!isset($ _ POST ['functionname'])){$ aResult ['error'] ='没有函数名!'; }
if(!isset($ _ POST ['arguments'])){$ aResult ['error'] ='没有函数参数!'; }
if(!isset($ aResult ['error'])){
开关($ _ POST ['functionname']){
case'add':
if(!is_array($ _ POST) ['arguments'])||(count($ _ POST ['arguments'])&lt; 2)){
$ aResult ['error'] ='参数错误!';
}
其他{\ n $ aResult ['result'] = add(floatval($ _ POST ['arguments'] [0]),floatval($ _ POST ['arguments'] [1]));
}
break;
\ n默认值:
$ aResult ['error'] ='找不到函数'。$ _ POST ['functionname']。'!';
break;
}
}
echo json_encode( $ aResult);
?&gt;
code> pre>
如何避免找到网址的任何人:'your_functions_address.php'可以调用网络服务上的任何功能? p>
是否有添加身份验证或安全性的方法? p>
我当然正在应用SSL安全性,但SSL是否解决了这个问题? p>
div>
答
You can implement login function that will return a token that need to be send to other functions:
session_start();
if( !isset($aResult['error']) ) {
switch($_POST['functionname']) {
case 'login':
if( !is_array($_POST['arguments']) || (count($_POST['arguments']) < 2) ) {
$aResult['error'] = 'Error in arguments!';
}
else {
if ($_POST['arguments'][0] == 'user' && $_POST['arguments'][1] == 'passsword') {
$time = array_sum(explode(' ', microtime()));
$aResult['result'] = md5($time);
$_SESSION['token'] = $aResult['result'];
}
}
break;
case 'add':
if( !is_array($_POST['arguments']) || (count($_POST['arguments']) < 2) ) {
$aResult['error'] = 'Error in arguments!';
}
else {
if ($_SESSION['token'] == $_POST['arguments'][0]) {
$aResult['result'] = add(floatval($_POST['arguments'][1]), floatval($_POST['arguments'][2]));
}
}
break;
default:
$aResult['error'] = 'Not found function '.$_POST['functionname'].'!';
break;
}
}
then in javascript you first call login function to get the token and then pass it as first argument to other functions: